USE AS A DELEGATE

This role strictly implements a notion of an authenticatable identity, not of a user.

If you want to support renaming, multiple authentication methods (e.g. a password and/or an openid), it's best to create identity delegates that consume this role, and have them point at the actual user object:

Since the identity is part of the objects' ID uniqueness is enforced in a portable way (you don't need to use the DBI backend and a custom unique constraint).

This also allows you to easily add additional authentication schemes, change them, provide namespacing support and so on without affecting the high level user object, which represents the actual account holder regardless of the authentication scheme they used.